New Chinese Android Malware can steal all your chats on Whatsapp, FB Messenger and 12 other IMs

Security researchers have discovered a new strain of Chinese Android Trojan that is customised simply to steal your chats, shared videos, pictures and audio files.

One of the Chinese apps, Cloud Module (in Chinese) was found to be infected with this malware with the package name com.android.boxa

How is this malware different than others?

It was observed that instead of a full-blown remote administration Trojan like others, this one is rather simple and only aims at stealing data from Instant Messaging (IM) Apps alongside with making sure that it is persistent and well protected from malware detection and prevention systems.

Once installed, It infects internal Android configuration files to make itself launch every time the mobile device starts. This is to make sure that the attacker is always listening to all your private communication.

Moreover, this malware was found with advance anti malware evasion techniques that included abilities to detect if it was being run on an emulated/virtual environment which is generally used by malware analysts to monitor the working of a malware in an isolated environment.

It was also observed that the source code of the malware was completely obfuscated to make it extremely difficult for analysts and Anti malware to understand the working of the Chat stealing trojan.

Which IMs are targeted by the boxa trojan?

It targets a total of 14 IMs as of now. They are as follows:

Facebook Messenger

Skype

Telegram

Twitter

WeChat

Weibo

Viber

Line

Coco

BeeTalk

Momo

Voxer Walkie Talkie Messenger

Gruveo Magic Call

TalkBox Voice Messenger

How does this malware spread?

As this is a Chinese malware and China doesn’t have any Google Play Store, this malware is speculated to spreading through 3rd party Android app stores and phishing campaigns.

What this means is Google’s internal antimalware measures will not detect this malware and nor can Google remotely uninstall the infected apps even if it finds out about them.

How can consumers stay safe?

Users are suggested to be extremely cautious while installing applications on their devices.

One must never download apps from 3rd party app stores especially the ones that offer extra functionalities like cracked versions of paid apps and apps with unlocked paid features such as Games and other In-App purchases.

Moreover, as this malware is quite possibly being spread via Phishing Campaigns just like most other malware, users are suggested to keep an eye out for fake emails, messages, pop-ups etc that ask them to click links/download 3rd party apps. Never click on untrusted links and never download from untrusted sources.

Keeping these in mind, below are some common security measures that users must take for the general security of their Android device:

Always check what all permission the app requires the users to allow before installation. Stay cautious with permissions that don’t seem legitimate, for instance, if a calculator app wants to access your call logs or messages it is clear that the app wants unnecessary permission and can be malicious. Trust your gut!

This is an infection based malware. What that means is, it won’t be spreading as a standalone application, instead, it can inject itself into any common Android app that a user might use and spread as duplicates/cracks online.

Malicious hackers often inject such malware into pirated apps, cracks and other 3rd party enhancement apps that are generally banned on the Play Store, hence a user that has no other option, is forced to download the app online which is infected with malware and that is the sole reason why malicious hackers give away paid apps for free. Piracy has a big cost, don’t indulge in it.

What makes this malware even more dangerous is it’s targeted goal to snoop on your private messaging and it is not a long shot to assume that data extorted from these private chats of users can be infected later used against them in targeted Phishing campaigns or even straightforward blackmailing. The security of the users is in their own hands, hence, they must be cautious in nature.